Re: [Full-Disclosure] no more public exploits and general PoC gui de lines
On Tue, 27 Apr 2004, Jedi/Sector One wrote: On Tue, Apr 27, 2004 at 04:05:13PM -0400, [EMAIL PROTECTED] wrote: Are you saying that unless there's an exploit that gives you access to the target machine your company wouldn't patch It's a matter of priority. For most PHBs, proactive security must be very low priority because keeping systems up to date doesn't bring any money to the company. Just to tell your boss that the worm/DoS/exploit/wathever-that-will-cause-a-severe-damage-on-machines-and-network will cost them more than keeping their system up to date (with proof). It's enough to convince them that the patching will save them a *LOT* of money and time (if the patch don't broke the system of course, especially with microsoft patches). If they don't want to understand it.. Well, I want to be there when their system will have a virus/wathever just to see their face :-) Oh, it's possible that the VP of company will tell to you that it's YOUR fault... E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. == ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] no more public exploits and general PoC gui de lines
On Wed, 28 Apr 2004 09:35:43 EDT, Eric LeBlanc [EMAIL PROTECTED] said: Just to tell your boss that the worm/DoS/exploit/wathever-that-will-cause-a-severe-damage-on-machines-and-network will cost them more than keeping their system up to date (with proof). That would be easy enough to do, except for the difficulty in actually generating accurate and believable ROI values for patching. It's easy to quantify the costs for the admin time in doing the work and the costs of the patching downtime if everything goes well, but fiendishly hard in estimating the costs of a given vulnerability left unpatched. We've seen critical vulnerabilities that haven't generated a big flamestorm, and we've seen things like Blaster/Slammer. You can't predict which one a given vulnerability will be, and even for a major event, a significant percentage of systems dodge a bullet and don't get hit. It's enough to convince them that the patching will save them a *LOT* of money and time (if the patch don't broke the system of course, especially with microsoft patches). So you're left with: 1) Install the patch during the regular patching schedule, with known cost $X and additional unknown cost $Y if the patch is bad. In addition, this exposes you to a worm cost of $W if a small worm comes out (with probability A), and a higher cost $U if a big worm comes out (with probability 1-A), and both $W and $U are not guaranteed even if a worm does happen, since your site might dodge the bullet till the usual patching window. In addition, you have to factor in a cost of $V if you're directly targeted by a black-hat, with probability dependent on target desirability, opportunity, whether that black hat has the 0-day, and whether you've fired anybody recently - and $V was a risk even *before* the patch/advisory came out... 2) Install the patch immediately, with higher known cost $X+$Z for service disruption, plus a higher likelyhood of incurring $Y due to less regression testing. Make reasonable estimates for A, U, V, W, X, Y, and Z. When calculating X, Y, and Z, make sure to allow for lost opportunity costs - if you're busy doing X, that's time you're not spending doing other stuff, so if the VP doesn't have a presentation for a potential client because you were patching rather than fixing his workstation, the cost of the lost contract should be included. You have one hour. Show all work :) Oh, and remember that for the *next* patch, almost none of these numbers can be re-used, so you get to do it all over again The *real* reason that it's so hard to make the case to the average PHB is because it's actually very hard to calculate the costs/benefits for any given patch. If you want to actually make the case, take a *years* worth of money paid to Redmond, a year's worth of A/V software costs, a year's worth of costs attributed to fighting viruses/worms/attacks, and suggest a move to RedHat instead. ;) pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] no more public exploits and general PoC gui de lines
On Wed, 28 Apr 2004 [EMAIL PROTECTED] wrote: On Wed, 28 Apr 2004 09:35:43 EDT, Eric LeBlanc [EMAIL PROTECTED] said: So you're left with: 1) Install the patch during the regular patching schedule, with known cost $X and additional unknown cost $Y if the patch is bad. In addition, this exposes you to a worm cost of $W if a small worm comes out (with probability A), and a higher cost $U if a big worm comes out (with probability 1-A), and both $W and $U are not guaranteed even if a worm does happen, since your site might dodge the bullet till the usual patching window. In addition, you have to factor in a cost of $V if you're directly targeted by a black-hat, with probability dependent on target desirability, opportunity, whether that black hat has the 0-day, and whether you've fired anybody recently - and $V was a risk even *before* the patch/advisory came out... 2) Install the patch immediately, with higher known cost $X+$Z for service disruption, plus a higher likelyhood of incurring $Y due to less regression testing. Make reasonable estimates for A, U, V, W, X, Y, and Z. When calculating X, Y, and Z, make sure to allow for lost opportunity costs - if you're busy doing X, that's time you're not spending doing other stuff, so if the VP doesn't have a presentation for a potential client because you were patching rather than fixing his workstation, the cost of the lost contract should be included. You have one hour. Show all work :) Oh, and remember that for the *next* patch, almost none of these numbers can be re-used, so you get to do it all over again The *real* reason that it's so hard to make the case to the average PHB is because it's actually very hard to calculate the costs/benefits for any given patch. I agree with you. It's depend of situation of the company. For example: Case 1: - small PME with 10 computers - they are all under NAT, on a Cisco/Linksys/486 with linux/openbsd/etc - all employee are competent and they have admin privileges on their workstation In this case, the cost is less o patch their computer (I talk about Windows). Even, the fast patching is not necessary, they can wait some day or week before patching, because they are already protected under the NAT/Firweall. Of couse, they have configured outlook to avoid open/execute html/vbs/other automatically if they use it. Also, they have a anti-virus scanner for mail and anti-virus on their computer. Case 2: Same as Case 1, but all of their computer are connected directly on the Internet, and all employe don't know the word patch. That's will be more more more dangerous, and their computer will be used as zombies (or wathever) for a long time before a sysadmin will see that something is wrong in their network. (If he is not competent, I've seen it one time) Case 3: big big company with 10 000 computers, such as financial corp. they are all on local network and they have Internet which they pass through a router/nat/etc. Employee don't have admin privilege on their computers, and the company have also 5 000 more laptop for mobile employe, taht they connect on the net everywhere, even in a company. In that case, I bet you will agree with me that the faster we patch their computer, the lost (money/time) will be less. Of course, each company is unique... It's just an example that I want to show that one method (fast patching in particuliar) can't apply to all situation. We shoud also consider servers (IIS, MSQL, etc) as well... It's a complex thing! If you want to actually make the case, take a *years* worth of money paid to Redmond, a year's worth of A/V software costs, a year's worth of costs attributed to fighting viruses/worms/attacks, and suggest a move to RedHat instead. ;) Bof, the right tool for the right job. For example, if I want a software which it will run only on windows? :-) Microsoft have done a lot of work about stability (since XP), but about security and patching system, they have a lot of work to do. E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. == ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] no more public exploits and general PoC gui de lines
Its not my boss, but in conversations with many people that span many companies, the general line of thought seems to be until there is an active exploit that is blowing away machines on my network, we will do nothing. After all, not every vulnerability that is published is followed by a bad exploit. And not every bad exploit manages to get inside. Your asking me to spend real money on a theoritical problem. Remember: IT is a cost center, something where you do everything possible to reduce costs and expendatures. The above are not my thoughts, they are a condensed version of many conversations. Do I think it is penny wise and pound foolish? Yes. Do I think these people are not seeing the big picture? Yes. But, I'm just an advisor. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric LeBlanc Sent: Wednesday, April 28, 2004 9:36 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] no more public exploits and general PoC gui de lines On Tue, 27 Apr 2004, Jedi/Sector One wrote: On Tue, Apr 27, 2004 at 04:05:13PM -0400, [EMAIL PROTECTED] wrote: Are you saying that unless there's an exploit that gives you access to the target machine your company wouldn't patch It's a matter of priority. For most PHBs, proactive security must be very low priority because keeping systems up to date doesn't bring any money to the company. Just to tell your boss that the worm/DoS/exploit/wathever-that-will-cause-a-severe-damage-on-machines-and-ne twork will cost them more than keeping their system up to date (with proof). It's enough to convince them that the patching will save them a *LOT* of money and time (if the patch don't broke the system of course, especially with microsoft patches). If they don't want to understand it.. Well, I want to be there when their system will have a virus/wathever just to see their face :-) Oh, it's possible that the VP of company will tell to you that it's YOUR fault... E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. == ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html * The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. * ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] no more public exploits and general PoC gui de lines
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo Kenneth! On Wed, 28 Apr 2004, Ng, Kenneth (US) wrote: ... the general line of thought seems to be until there is an active exploit that is blowing away machines on my network, we will do nothing. Same goes for the vendors. They deny there is a bug and refuse to work on patches unless there is an active exploit to rub in their noses. Please let us not return to the bad old days when out servers were broken in to hourly by exploits that never existed. RGDS GARY - --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +1(541)382-8676 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAj/eY8KZibdeR3qURAkHmAJ9OfUHtUwcVg5jlq7adQQYzm2/4bACgoUnN aiD+ZuOS/f9WRh5jVED+z9k= =ug0E -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] no more public exploits and general PoC gui de lines
Having proof of concept code is always valuable (and the sooner the better), but I question releasing exploits that execute code on the target machine. Having a DoS PoC is enough... The legitimate pentesters will be able to modify the PoC to execute code on the target while, at the same time, the kiddies will be stuck with something of little or no use to them. This way everybody is happy. Some of you might say that some kiddies will be able to modify the DoS PoC to execute code for their malicious needs. Well, if this is the case, then we are no longer dealing with kiddies... If they can do this then they are capable of creating their own exploits... kcq -Original Message- From: johnny cyberpunk [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 27, 2004 11:37 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] no more public exploits hi, this is an anouncement that i personally have no more intention to publish any further exploits to the public. too many flames from guys who are too lame to use the exploits or to fix offsets for other targets. too many risks that kiddies around the world use it for bad purposes. i saw, that the original intention, to publish exploits, for pentesting or patch verifing purposes didn't work. remember, that i speak just for me, not for the rest of the group. cheers, johnny cyberpunk/thc ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] no more public exploits and general PoC gui de lines
Are you saying that unless there's an exploit that gives you access to the target machine your company wouldn't patch (even if there's an exploit that crashes the target)? I don't know what company that was, but I'm glad I'm not working for them... Ignoring DoS exploits is irresponsible... to say the least. kcq -Original Message- From: Harlan Carvey [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 27, 2004 3:37 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] no more public exploits and general PoC gui de lines Well, then the hole you get stuck in with that particular situation is systems going unpatched, b/c there is no exploit for the vulnerability. A company I used to work for was that way. Regardless of what security strongly recommended, patches weren't being installed in a timely manner...largely b/c there were no reports of actual exploit code being released. However, a customer insisted that the patches be installed ASAP...the logic used by the sysadmins didn't jive. Having proof of concept code is always valuable (and the sooner the better), but I question releasing exploits that execute code on the target machine. Having a DoS PoC is enough... The legitimate pentesters will be able to modify the PoC to execute code on the target while, at the same time, the kiddies will be stuck with something of little or no use to them. This way everybody is happy. Some of you might say that some kiddies will be able to modify the DoS PoC to execute code for their malicious needs. Well, if this is the case, then we are no longer dealing with kiddies... If they can do this then they are capable of creating their own exploits... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] no more public exploits and general PoC gui de lines
Well, then the hole you get stuck in with that particular situation is systems going unpatched, b/c there is no exploit for the vulnerability. A company I used to work for was that way. Regardless of what security strongly recommended, patches weren't being installed in a timely manner...largely b/c there were no reports of actual exploit code being released. However, a customer insisted that the patches be installed ASAP...the logic used by the sysadmins didn't jive. Having proof of concept code is always valuable (and the sooner the better), but I question releasing exploits that execute code on the target machine. Having a DoS PoC is enough... The legitimate pentesters will be able to modify the PoC to execute code on the target while, at the same time, the kiddies will be stuck with something of little or no use to them. This way everybody is happy. Some of you might say that some kiddies will be able to modify the DoS PoC to execute code for their malicious needs. Well, if this is the case, then we are no longer dealing with kiddies... If they can do this then they are capable of creating their own exploits... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] no more public exploits and general PoC gui de lines
On Tue, Apr 27, 2004 at 04:05:13PM -0400, [EMAIL PROTECTED] wrote: Are you saying that unless there's an exploit that gives you access to the target machine your company wouldn't patch It's a matter of priority. For most PHBs, proactive security must be very low priority because keeping systems up to date doesn't bring any money to the company. (even if there's an exploit that crashes the target)? A DoS will usually not be enough to get some press. Unless most PHBs have read on ZDNet and Yahoo that a critical flaw has been found in xxx and is actively being exploited by black hats, they will consider patching as a waste of time. They may even yell at you if patching systems implies a small downtime, even if it'ss a critical patch, as long as it has not been covered by for-PHBs press. Best regards, -- __ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] no more public exploits and general PoC gui de lines
Stupid question here... So the entire point about the not releasing PoC code is so that admins don't have to worry about patching? Isn't this anti-security? I would personally prefer my computer in the middle minefield knowing where the mines are rather than being in a minefield with only half the mines active and my not knowing where they are. I personally think that companies need to look at changing their outlook on patching their boxes. Yes- I know that a 3 second downtime will kill productivity, however I also know that when the kiddy(or otherwise) that breaks in to that box and rm -f /'s everything there will be more downtime. It's just security through obscurity. It's not going to help anything. Just give people/businesses a false sense of security. Do you think that DCOM(Yes, I know it was a disaster) would have been patched half as 'fast' if it didn't have the POCC? I don't. ~ On Tue, Apr 27, 2004 at 04:05:13PM -0400, [EMAIL PROTECTED] wrote: Are you saying that unless there's an exploit that gives you access to the target machine your company wouldn't patch It's a matter of priority. For most PHBs, proactive security must be very low priority because keeping systems up to date doesn't bring any money to the company. (even if there's an exploit that crashes the target)? A DoS will usually not be enough to get some press. Unless most PHBs have read on ZDNet and Yahoo that a critical flaw has been found in xxx and is actively being exploited by black hats, they will consider patching as a waste of time. They may even yell at you if patching systems implies a small downtime, even if it'ss a critical patch, as long as it has not been covered by for-PHBs press. Best regards, -- __ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html smime.p7s Description: S/MIME cryptographic signature
Re: [Full-Disclosure] no more public exploits and general PoC gui de lines
Poof [EMAIL PROTECTED] writes: Stupid question here... So the entire point about the not releasing PoC code is so that admins don't have to worry about patching? [This isn't criticism of anyone; I grabbed a copy of Johnny's exploit for testing purposes as soon as it came out, and was glad to have it] PoC is good in a lot of ways; but I need to test patches before they go out too. Unfortunately this vulnerability was present on two of our most important servers. So life is easier for me if the PoC doesn't come out in, say, the the first week following the patch announcement - regardless of whether there's another exploit underground, people will get, adapt and use the PoC. Basically, I trust the security researchers to consider the time we need to test these patches when they're releasing PoC code. They may know that there's already an exploit out in the blackhat community, in which case publishing won't make any difference to someone's actual security - as opposed to their perceived security. Isn't this anti-security? A lot of us patch quickly. People who haven't patched after two to three weeks or so probably aren't going to at all. All other things being equal, two weeks after might be a good time to publish where the patch affects critical services. Day 1 is probably too soon for comfort fo most of us. Day 60 is probably too late to make any effective difference. I'm sure people can work out a comfortable middle-ground for themselves. FWIW, we saw attacks here on 25th April, 12 days after the patch was published. I don't know that they were the only attacks, or that they were the first ones. I would personally prefer my computer in the middle minefield knowing where the mines are rather than being in a minefield with only half the mines active and my not knowing where they are. I agree. Just as long as I can access it remotely :) cheers, Jamie -- James Riden / [EMAIL PROTECTED] / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] no more public exploits and general PoC gui de lines
look at this way, you make 0day non disclosure it goes around in a small circle to a bigger circle, the developers of the problem never find out about it till its to late. btw james love the documentation on your website massesy security at its finest eh... - Original Message - From: James Riden [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 28, 2004 11:56 AM Subject: Re: [Full-Disclosure] no more public exploits and general PoC gui de lines Poof [EMAIL PROTECTED] writes: Stupid question here... So the entire point about the not releasing PoC code is so that admins don't have to worry about patching? [This isn't criticism of anyone; I grabbed a copy of Johnny's exploit for testing purposes as soon as it came out, and was glad to have it] PoC is good in a lot of ways; but I need to test patches before they go out too. Unfortunately this vulnerability was present on two of our most important servers. So life is easier for me if the PoC doesn't come out in, say, the the first week following the patch announcement - regardless of whether there's another exploit underground, people will get, adapt and use the PoC. Basically, I trust the security researchers to consider the time we need to test these patches when they're releasing PoC code. They may know that there's already an exploit out in the blackhat community, in which case publishing won't make any difference to someone's actual security - as opposed to their perceived security. Isn't this anti-security? A lot of us patch quickly. People who haven't patched after two to three weeks or so probably aren't going to at all. All other things being equal, two weeks after might be a good time to publish where the patch affects critical services. Day 1 is probably too soon for comfort fo most of us. Day 60 is probably too late to make any effective difference. I'm sure people can work out a comfortable middle-ground for themselves. FWIW, we saw attacks here on 25th April, 12 days after the patch was published. I don't know that they were the only attacks, or that they were the first ones. I would personally prefer my computer in the middle minefield knowing where the mines are rather than being in a minefield with only half the mines active and my not knowing where they are. I agree. Just as long as I can access it remotely :) cheers, Jamie -- James Riden / [EMAIL PROTECTED] / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
